In this article

With conditional access based on application sensitivity, you can set multi-factor authentication (MFA) access rules per application. MFA per application provides the ability to block access for users who are not on a trusted network. You can apply MFA rules to all users that are assigned to the application, or only for users within specified security groups. Users may be excluded from the MFA requirement if they are accessing the application from an IP address that is inside the organization’s network.

These capabilities will be available to customers that have purchased an Azure Active Directory Premium license.

Configure per-application access rules

Sign in to the Azure classic portal Using an account that is a global administrator for Azure AD.

On the left pane, select Active Directory.

On the Directory tab, select your directory.

Select the Applications tab.

Select the application that the rule will be set for.

Select the Configure tab.

Scroll down to the access rules section. Select the desired access rule.

Specify the users the rule will apply to.

Enable the policy by selecting Enabled to be On.

Understanding access rules

This section gives a detailed description of the access rules supported in the Azure Conditional Application Access.

Specifying the users the access rules apply to

By default the policy will apply to all users that have access to the application. However, you can also restrict the policy to users that are members of the specified security groups. The Add Group button is used to select one or more groups from the group selection dialog that the access rule will apply to. This dialog can also be used to remove selected groups. When the rules are selected to apply to Groups, the access rules will only be enforced for users that belong to one of the specified security groups.

Security groups can also be explicitly excluded from the policy by selecting the Except option and specifying one or more groups. Users that are a member of a group in the Except list will not be subject to the multi-factor authentication requirement, even if they are a member of a group that the access rule applies to.
The access rule shown below will require all users in the Managers group to use multi-factor authentication when accessing the application.

Conditional Access Rules with MFA

If a user has been configured using the per-user multi-factor authentication feature, this setting on the user will combine with the multi-factor authentication rules of the app. This means a user that has been configured for per-user multi-factor authentication will be required to perform multi-factor authentication even if they have been exempted from the application multi-factor authentication rules. Learn more about multi-factor authentication and per-user settings.

Access rule options

The following options are supported:

Require multi-factor authentication: The users to whom the access rules apply to, will be required to complete multi-factor authentication before accessing the application that the policy applies to.

Require multi-factor authentication when not at work: A user that is coming from a trusted IP address will not be required to perform multi-factor authentication. The trusted IP address ranges can be configured on the multi-factor authentication settings page.

Block access when not at work: A user that is not coming from a trusted IP address will be blocked. The trusted IP address ranges can be configured on the multi-factor authentication settings page.

Setting rule status

Access rule status allows turning the rules on or off. When the access rules are off, the multi-factor authentication requirement is not enforced.

Access rule evaluation

Access rules are evaluated when a user accesses a federated application that uses OAuth 2.0, OpenID Connect, SAML or WS-Federation. In addition, access rules are evaluated when the OAuth 2.0 and OpenID Connect use a refresh token to acquire an access token. If policy evaluation fails when a refresh token is used, the error invalid_grant will be returned, this indicates the user needs to re-authenticate to the client.

Configure federation services to provide multi-factor authentication

For federated tenants, MFA may be performed by Azure Active Directory or by the on-premises AD FS server.

By default, MFA will occur at a page hosted by Azure Active Directory. To configure MFA on-premises, the –SupportsMFA property must be set to true in Azure Active Directory, by using the Azure AD module for Windows PowerShell.